WORLD fNTELLECTUAL PROPERTY ORGANIZATION 
International Burcuu 




PCX 

TNTERNATIONAL APPLICATION PUBLISHED UNDER THE PATENT COOPERATION TREATY (PCT) 



(51) Internationul Patent Classification ^ 
H04L 9/30 



Al 



(11) International Publication Number: 
(43) International PubUc»tion Date: 



WO 99/16209 

I April 1999 (01.0499) 



(21) International Application Number: PCT/US98/20036 

(22) International Filing Date: 22 September 1998 (2Z09.98) 



(30) Priority Data: 
60/059,455 



22 September 1 997 (22.09.97) US 



(71) Applicant: EOLAS TECHNOLOGIES. INCORPORATED 

[US/US]; 10 East Ontario Street, Chicago, IL 60611 (US), 

(72) Inventor: DOYLffTMichael, D.; 824 Dawes Avenue, Wheacon, 

TL 60187 (US). 

(74) Agent: KOLEFAS. Chri$; Baker & McKenxie. 805 Thiul 
Avcnuo» New York, NY 10022 (US). 



(81) Designated States: AU AM, AT. AU. A2, BA. BB, BG» BR 
BY, CA, CH. CN. CU, CZ^ DE. DK. EE. ES, Fl, OB, Ge! 
GH, GM, HU, ID, IL, IS, JP, KE, KG, KP, KR. K2. LC, 
LK. LR, LS, LT, LU, LV. MD, MG. MK, MN, MW, MX. 
NO. NZ. PL, PT. RO. RU, SD, SE, SG, SI, SK, SL;. TJ, 
TM. TR, TT, UA, UG, UZ, VN, YU, ZW. ARIPO patent 
(GH, GM. KB. LS. MW, SD, S2, UG. 2W). Eurasian patent 
(AM, AZ, BY, KG, KZ, MD. RU, TJ, TM), European patent 
(AT, BE, CH. CY, DE, DK, ES, PI. FR, GB, GR. IE, It, 
LU. MC, NL, PT, SE). OAPI patent (BF, BJ, CP, CG, O, 
CM, GA. GN, GW, ML, MR, NE, SN. TO, TG). 

O 

Published ^co 
With internaiional search report. w o? 

Before the expiration cf she rime limit for omendin^'^ifse 
claims and to be republished in the event of the ret^/^f - 
atnendments. fP^^^'= 

^ s 



(54) TiUe: METHOD AND SYSTEM FOR TRANSIENT KEY DIGITAL TIME STAMPS 




0 



Ccncr^remmp 
ocnincita for ewntf 
.la rcqutitDr 




(fling p&»*\o itcfaf^^^^•^ 



(57) Abstract 

Irrefumblc public key digital signature timo-stamps (1040) arc created and used based upon, for example, the concept of transient 
timc-interval-relaicd secret cryptographic keys (2010). which are used to digitally sign (2030) submitted data during specific time intervals, 
and dien permanently desu'oyed (2040). The public-key correlate for each time interval is saved for future authentication of the content of 
ihne-stampcd data and time of creation of time-stamped data. The validity of the public keys is ensured through the certification of each 
time inteivars public key using the previous time interval's Secret key, immediately before that secret key is destroyed. 
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METHOD AND SYSTEM FOR TRANSIENT KEY DIGITAL TIME STAMPS 
FIELD OF THE INVENTION 

The present invention relates to a method for digital time 
stamping data. More particularly, the present invention 
relates to the digital time stamping of data, without the need 
5 for subsequent third party verification, by the chaining of 
key pairs, the key pairs being generated for particular time 
intervals. 

BACKGROUND INFORMATION 

10 The concept of chain of evidence has long ~been a fundaimental 
tenet of the U.S. judicial system. Many legal situations 
depend upon the ability to proye that a certain piece of 
evidence existed at a certain point in time and that it has 
not been subsequently altered. In the past, when most of the 

15 possible types of evidence consisted of material objects, 

there was a need for a protocol of a "chain of witnesses" to 
testify to the veracity of an evidentiary object in question. 
Historically, if the evidence was under the control of only a 
finite set of individuals, and if all of those individuals 

20 could testify as to the location and state of the object, then 
the court would accept the claim of authenticity of the 
evidence. 



Of course, such a system is dependent upon the availability of 
25 trustworthy witnesses that will be available and willing to 
testify in any given circumstance. Often times, witnesses are 
available, but not trustworthy, or vice versa. This is 
particularly the case with respect to document authentication, 
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where the details of when a specific document was created or 
signed is in question. Clearly, a system was needed to allow 
one to easily obtain a "witness on demand" in many situations. 



5 This concept of evidentiary authentication is so important to 
so many areas of endeavor, that a formalized system of 
professional document witnesses was developed, for example, 
. called^the Notary Public service. Notary Publics would, for a 
fee. attest to such things as the existence of a document and 

10 the identity of the document holder or signer. Of course a 
notary could not swear to any knowledge of the actual contents 
of a document, since thac would have required that the notary 
keep copies, in perpetuity, of every document ever witnessed 
an impractical requirement. Much of the trust held in the 

15 notary public system related to^' a generally-held belief that 
it was impossible or impractical to forge a notary public's 
stamp and signature, or to buy, a notary public's testimony. 
As computer graphics and desktop publishing technology 
advances, however, the level of difficulty of creating forged 

20 documents and signatures decreases significantly. A result of 
this technological advance is the fact that some states, such 



as California, no longer accept notarization as absolute proof 
of document validity. 



25 As more and more of the information of import in personal and 
business transactions becomes digital in form, the usefulness 

\ of notary-public-style authentication mechanisms decreases. 
Much of this information is stored, accessed and managed 
through computer database management systems. All major 

30 database systems permit time stamping of data in records. 
Many commercial and governmental systems depend upon the 
assumption of veracity of such database time stamps. The 
presumption is that, if the organization is trustworthy, then 



2 
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the time stamps in their databases can be believed. In 
practice, this assertion requires a large degree of, to borrow 
a literary term, "willing suspension of disbelief.' No one, 
of course, can safely assume that all individuals within a 
5 large organization are trustworthy, even if the organization, 
itself, is believed to be so. Furthermore, it is now well 
known that no conventional computer database system is immune 
from the possibility of data tampering or "hacking" by 
dishonest individuals . 

10 

One approach that has been developed to deal with some of this 
problem is based upon a technology called "public key" 
cryptography. One of the most well known of this type of 
system is the program called Pretty Good Privacy, distributed 

15 by the Massachusetts Inscitute'of Technology, which makes use 
of the Rivest-Shamir-Adleman (RSA) public key cryptosystem. 
Such systems are built around .Jthe concept of encrypting data 
in such a way that allows both secure transmission and 
authentication of sensitive data. Public key systems employ a 

20 pair of cryptographic keys for each encryption/decryption 

event. One key is kept secret by the owner (e.g., the private 
key), and the other key is publicly distributed (e.g., the 
public key) . A message encrypted with one of the keys in a 
key pair can only be decrypted with the other key, and""vice " * 

25 versa. 

This system allows, for example, the encryption of data by one 
individual, using a second individual's public key. The 
message could then be sent to a second individual over 
30 unsecure channels, and only the second individual could access 
the unencrypted data, since it could only be decrypted with 
the second individual's private key. 
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Prior to using the second individual's public key to encrypt 
the data, the first individual could have used his or her 
private key to encrypt the data, thereby digitally "signing" 
the data. The recipient could then use che sender's public 
5 key to decrypt it, thus proving that it actually came from the 
sender, since only the sender could have used the correct 
secret key to sign the data. Such a system provides both 
confidentiality of data and a mechanism for authentication of 
the identity of the sender. It also proves that the data 

10' c"buld not have been altered in any way since the time it was 
encrypted by the sender. Public keys, themselves, can be 
"certified" by signing them with a trusted individual's secret 
key (e.g., a digital signature). Others can then assess the 
authenticity of published public keys by authenticating them 

15 using that trusted individual's public key. If that trusted 
individual later loses faith in the validity of the certified 
key, then he can issue a so-called revocation certificate, 
signed by the trusted individual's private key, that notifies 
others that the previously-certified public key is no longer 

20 to be trusted in the future. 

Public key algorithms are notoriously slow. For this reason, 
virtually all public key digital signature systems use what is 
called a "cryptographically-strong one-way hash function" to . 

25 create what is called a "message digest" from the data to be 
signed. This 'message digest is a unique representation of 
that data, sort of a data fingerprint, that is typically much 
smaller than the original data. For example, the message 
digests that PGP uses are only 128 bits in length. The 

30 message digest is then encrypted using the sender's secret key 
before sending the data to the recipient. The recipient can 
then use the sender's public key to automatically decrypt the 
message digest and then verify that it does indeed match the 
original data. This is a very secure system, since it is 
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computationally infeasible for an attacker to devise a 
substituce message that would provide an identical message 
digest. Most estimates state that it would take 10'"12 or more 
years (caking into account Gordon Moore's "law" relating to 
5 increases in chip capacity over time) to successfully fake a 
128-bit message digest using the algorithm employs by the PGP 
software package. Also, changing even a single byte of a 
digested message would cause the hash function to be unable to 
match the message digest to the unencrypted data. \ 

10 

Public key digital signatures, therefore, can irrefutably 
prove that signed data was originally signed by a given secret 
key and that the data has not changed in any way since the 
signature was made. Systems such as PGP routinely attach 

15 time-stamps to both key pairs at their creation, and to 

digital signatures, each time they are created. Such time- 
stamps, however, are dependent only upon the internal clocks 
within the computers being used, and thus are subject to 
inaccuracies or falsification by, for example, an individual 

20 intentionally changing the time on a computer's clock in order 
to make it falsely appear that a given digital signature was 
created at a specific point in time. 



For this reason, a new type of notary public has arisen, which 
25 uses public-key digital signatures to notarize, for a fee, 
digital information typically submitted over the Internet . 
\ These so-called "digital notaries" are, essentially, 

businesses that provide such a service and agree to attest to 
the veracity of both the content of the original data, as well 
30. as the time at which the signature was made. This is a major 
improvement over the notary public concept of old, since the 
new digital notary services can testify to the fact that data 
which has been digitally signed by their service existed at a 

5 
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certain point in time, and that it hasn't been altered in any 
way since that point in time. The largest problem with such 
digital notary services, and also a motivating reason for the 
method according to the present invention, is the fact that 
5 the authenticity of such digital-notary-generated digital 

signatures is wholly dependent upon the trustworthiness of the 
institution and individuals running the digital notary 
service. 



10 To solve this problem, a system is needed that will. , 

automatically and rigorously prove the veracity of digital 
signature time-stamps, without depending upon the 
trustworthiness of the institution or individuals 
administering a digital notary service. Transient-key digital 

15 time-stamps according to an embodiment of the present 
invention provide these capabilities . 

SUMMARY OF THE INVENTION 

According to an embodiment of the present invention, 
20 irrefutable public key digital signature time-stamps are 

created and used. The system is based upon, for example, the 
concept of transient time-interval-related secret . — ^ . 
cryptographic keys, which are used to digitally sign submitted 
data during specific time intervals, and then are permanently 
25 destroyed. The public-key correlate for each time interval is 
y saved for future authentication of the content of time-stamped 
data and time of creation of time-stamped data. The validity 
of the public keys is ensured through the certification (e.g., 
signing) of each time interval's public key using the previous 
30 time interval's secret key, immediately before that secret key 
is destroyed. 

6 
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BRIEF DESCRIPTION OF THE DRAWINGS 

Figure 1 illustrates an exemplary flowchart for a method for 
digital time stamping according to an embodiment of the 
present invention - 

5 

Figure 2A illustrates a portion of an exemplary flowchart for 
another method for digital time stamping according to an 
Smbodiment of the present invention. 

10 Figure 2B illustrates another portion of an exemplary 
flowchart for another method for digital time stamping 
according to an einbodiment of the present invention. 

Figure 3A illustrates a first exemplary embodiment for a time 
stamping system according to the present invention. 

15 

Figure 3B illustrates a second exemplary embodiment for a time 
stamping system according to the present invention. 

DETAILED DESCRIPTION OF THE INVENTION 

20 The digital time stamping method according to an embodiment of 
the present invention provides a mechanism to irrefutably 
prove that a collection of data existed at a given interval of 
\ time and has not changed since that interval of time. A 
significant advantage of the present invention is that it 

25 provides non-repudiation to the user. It is difficult to deny 
the veracity of the time-stamp certificates generated by the 
method according to an embodiment of the present invention. 
For example, the system does not depend upon the 
trustworthiness (or later existence) of any external 
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"certification authority" or any external time tracking 
system. Rather, all that is needed to authenticate the time 
stamp generated according to an embodiment of the present 
invention is, for example, nhe time-stamped data, the 
5 signature from the time-stamp certificate, the time interval's 
public key from the time-stamp certificate, and a 'standard 
public-key authentication program, such as either the free or 
commercial version of PGP. Other public key encryption 
. programs such as the J/CRYPTO Professional Cryptography 
10 Classes for Java Developers 

(hctp: //www.baltimore. ie/products/ jcrypto/index.html) could 
also be used with the present invention. Moreover, the method 
according to an embodiment of the present invention will work 
with any kind o£ computer data. 

15 

Systems utilizing the method for transient-key digital time 
stamps according to the present invention can be set up as, 
for example, Internet servers, stamping all requests on a fee- 
for-service basis. The time of creation and the internal 

20 state of information can be proven without endangering the 
confidenciality of sensitive data. The time stamping method 
according to an embodiment of the present.. invention makes the 
method suitable for use in, for example, invention 
documentation systems. Accordingly, the method according to " ' 

25 an embodiment of the present invention can also be used to 
authenticate critical confidential records, such as medical 
records and financial transactions, can be easily adapted to 
any computing platform, and is not dependent upon any specific 
public-key algorithm. 

30 

Figure 1 illustrates an exemplary flowchart for a digital time 
stamping method according to an embodiment of the present 
invention. In step 1010 a key pair is generated at time 

8 

\^Z/U'd S899Tt?t78 01 231B SSL t'TG 13Ny31N I -IbOBI WHI ZS:ST 66< Zl "ini 




PCT/US98/20036 



WO 99/16209 



interval t^.. As is knovm in the art, the key pair includes a 
public key and a private key. The time interval can be any 
defined period, e.g., every second, 10 seconds, minute or 10 
minutes. The current time interval is referred to as t^. In 
5 step 1020, it is determined if a cime stamp request is 

received during time interval t^. If no time stamp request is 
received during time interval t^, then the process returns to 
step 1010 to generate a new key pair for the next time 
, ipterval, n being incremented by 1 to indicate the next time 
10 interval. 

If a time stamp request is received during time interval t^, in 
step 103 0 the daca accompanying the time stamp request is 
automatically signed. For example, a conventional message 

15 digest for the data could be generated that would be 

automatically encrypted using the private key of time interval 
t^. As a result of signing the^data, the signature of the time 
scamp can only be decrypted using the public key of time 
interval t^. In step 1040, a time stamp certificate is 

20 generated for delivery to the requestor indicating the 
temporal existence of the data. In step 1050, it is 
determined if additional time stamp requests are received 
within time interval t^^. 

25 If no additional time stamp requests are received, then the 
private key for time interval tf, is deleted in step 1060 and 



the process returns to step 1010 to generate a key pair for 
the next time interval, n being incremented by 1. If further 
time stamp requests are received during time interval tp, then 
30 the process returns to step 1030 to process each further time 
stamp request. As indicated in step 1060, the private key for 
time interval tn is deleted at the end of the time interval and 
•the public key would be, for example, archived for subsequent 



'7Z/ZV6 
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use to decrypt the time stamp. Thus, a separate private key 
is used to automatically time stamp the data associated with a 
time stamp request received during each defined time interval 
according to an embodiment of the present invention. 



The process according to an embodiment of the present 
invention illustrated in Figure 1 differs from prior art 
. systems^ in that, for example, the key pairs are automatically 
generated every defined time interval and the data 

10 accompanying the time stamp request is automatically signed 
using the private key of the time interval that the time stamp 
request is received, the private key being deleted after the 
time interval. In contrast, prior art time stamping systems 
would use a single private key to sign all time stamp requests 

15 and employ a separate mechanism; usually based on the computer 
system implementing the time stamp, to provide the time stamp 
data. Also unlike the time stamping method according to an 
embodiment of the present invention, some prior art systems 
would chain together the message digests for sequentially- 

20 submitted documents that have been signed to generate the 
message digest encrypted for the time stamp, for example, as 
described in U.S. Patent No. 5,136,647 , which is hereby 
incorporated by reference. 

25 Figure 2A illustrates an exemplary flowchart for a digital 
time stamping method according to another embodiment of the 

^ present invention. In step 2010 a key pair is generated. As 
is known in the art, the key pair includes a public key and a 
private key. According to an embodiment of the present 

30 invention, a key pair is generated for each time interval 

utilized by the system implementing the time stamping method. 
The implementing system can include, for example, a 
conventional general purpose computer, such as a 
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microprocessor based personal computer or server. In an 
embodiment of the present invention, the method is implemented 
in software that executes on a client-server computer system 
architeccure. The time interval can be any defined period, 
5 e.g., every second, 10 seconds, minute or 10 minutes. The 
current time interval is referred to as t^, and the next time 
interval is referred to as t-,.i. For the purposes of time 
scamping documents, accuracy to the minute may be sufficient 
• feor subsequent authentication purposes. 

10 

In step 2020, another key pair is generated at time t-.i- Like 
the first key pair, the next key pair also has a public key 
and a private key. To generate the key pairs in steps 2010 
and 2020, a conventional digital time stamping system such as 

15 PGP could be modified to automatically generate key pairs 
every defined time interval. For example, conventional 
digital time stamping systems are designed for users to 
generate key pairs, usually via user I/O with the- system to 
input the infoirmation necessary to generate a key pair (e.g., 

20 a pass phrase and a random seed required by PGP) - According 
to an embodiment of the present invention, the source code for 
such systems could be modified to generate, for example, a 
pass phrase and a random seed that would be automatically fed 
to the key pair generation algorithm for each defined time 

25 interval, thereby automatically providing the input normally 
provided by a user to generate a key pair. 

V In step 2030, the public key of time interval t^,^ is signed 
using .the private key of time interval tn- For example, a 
conventional message digest for the public key of time 

30 interval t^,^ could be generated that would be encrypted using 
the private key of time interval t^. As a result of signing 
the public key of time interval tn.i, the signature of the 
public key can only be decrypted using the public key of time 
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interval t„. The signing of the public key of time interval 
tn.i using the private key of time interval t^ could be 
accomplished, for example, using script based control of 
existing software, such as the PGP software (e.g., a single 
5 command line instructing that one key sign another key) . In 
step 2040, the private key of time interval t^ is deleted. 
Thus, the private key for time interval t;, exists for the 
duration o£ time interval t^, and for the time necessary during 
. time interval Cn^j to sign the public key of time interval tp.j. 
10 In step 2050, the public key for time interval t„ is archived 
for subsequent use, e.g., to decrypt the time stamp on the. 
public key of time interval t.^,;. 

In step 2060, it is determined if a cime stamp request is 

15 received during time interval t^,-^. If no time stamp request 
is received, then the process returns to step 2020 to generate 
a key pair for the next time interval, n being incremented by 
1. If a time stamp request is received during time interval 
t,,.i, in step 2070, illustrated in Figure 2B, the data 

20 accompanying the time stamp request is signed using the 

private key of time interval t^.^. For example, as is known in 
the art, a conventional message digest for the data to be time 
stamped according to an embodiment of the present invention 
could be generated that would be encrypted using the prTvate " * 

25 key of time interval t^.^. As a result of signing the data 
using the private key of time interval t„.i, the signature of 
the time stamp could only be decrypted using the public key of 

^. time interval t^.^, which public key itself has been time 

stamped according to an embodiment of the present invention 

3 0 and can be authenticated only using the public key of the 

prior time interval t^, as described above. Therefore, using an 
embodiment of the method according to the present invention, 
authentication of the time stamp on data is self -validated as 
the keys for two time intervals have been chained together. 
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No independent third party is required to verify that the time 
stamp on the data is accurate. In another exemplary 
embodiment, the key pair for t^.i is generated and certified in 
advance, during the end of the prior time interval t„, to 
5 insure that the key pair for time interval t^.^ is available 
immediately at the beginning of t^,^. 

. Jn step 2080, a stamp certificate is generated for delivery to 
the requesting party. According to an exemplary embodiment of 

10 the present invention, such a stamp certificate includes a. 
digital signature of the submitted data and the certified 
public keys for time intervals t^ and tn.i. In step 2090, it is 
determined if any additional time stamp requests are received 
within time interval t^.^ , If no further time stamp requests 

15 are received within time interval t^.j, the process returns to 
point B on Figure 2A to generate the key pair for the next 
time interval. If another time stamp request is received 
during time interval tn^j, in step 2100 the data accompanying 
the time stamp request is signed using the private key of time 

20 interval t^^i as described above and the process loops back to 
step 2090- until no further time stamp requests are received 
during time interval t^-i . 

The method according to an embodiment of the present invention 
25 for time stamping data can be implemented, for example as 
software, firmware or hard-wired logic using a suitable 
general purpose computer. For example, the software 
implementation of the present invention can be written in the 
Java programming language, that can run on any platform. 

30 

Figure 3A illustrates an exemplary client-server architecture 
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for implementing the time stamping method according to an 
embodiment of the present invention. In a client-server 
architecture, the server portion of time stamping program for 
an embodiment of the present invention would reside in, for 

5 example, a memory 3015 of the server 3010. The time stamping \ 
program would execute on the cpu 3016 connected to the memory 
3015. The server 3010 is connected to the client 3020 via, 
for example, a connection 3030, such as a LAN, WAN or Internet 
• eonnecfcion. The client computer 302 0 would include a time 

10 stamping client portion of the method according to an 

embodiment of the present invention residing in a memory 3025, 
the time stamping client program executing on the cpu 3026 
connected to the memory 3025. An I/O device 3040, such as a 
keyboard or mouse provides, user access to the time scamping 

15 method according to an embodiment of the present invention. 



In operation, for example, a user would identify data to be 
time stamped via the I/O device 3 040 which would cause the 
client application program stored in memory 3025' to execute in 

20 memory 3026 and generate ^a message digest for the data, for 
example in a manner known- in the art. The message digest 
would be transmitted via connection 303 0 to server 3 010, where 
the application program stored in memory 3015 would execute in 
memory 3016 to time stamp the message digest and return a tim'e 

25 stamp certificate to client computer 3020 via connection 3030, 
for example as described in Figures 1 or 2A-2B. 

In an alternative implementation of the client-server 
architecture illustrated in Figure 3A, the signing could occur 
30 at the client computer 3020. For example, via the I/O device 
3040, a user could .identify data to be time stamped and submit 
the stamp request to the server computer 3010 via connection 
3030 without providing a message digest for the data. In 
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response to the stamp request, the server 3010 would generate 
a key pair for the current time interval according to an 
enODodiment of the present invention (e.g., with a public key 
signed by the private key of the prior time interval key pair) 
5 and return the key pair for the current time interval, the 
passphrase for the time interval's private key, and the public 
key from the prior time interval to the client computer 3020. 
To ensure the secrecy of the transmission from the server 3010 
• t?o the-^lient 3020, the connection 3030 can include, for 

10 example, a secure channel using SECURE SOCKETS LAYER (SSL) . 
Once the client 3020 receives the transmission from the server 
3 010, the client can generate the message digest and sign the 
message digest of the time stamp request using the private key 
of the current time interval, for example in a manner as is 

15 known in the art. After the time scamp is created, the 
client-side copies of the associated private key and 
passphrase are then immediately deleted. 



In yet another alternative embodiment of the client-server 
20 architecture illustrated in Figure 3A, the client computer 
3020 can generate its own key pair and use a key pair 
generated by the server 3010 to time stamp the public key of 
the key pair generated by the client' computer 3020. For 
example, the client computer 3020 would generate a key pair 
25 and transmit the public key of the key pair to the server 3010 
via connection 3 030. The private key of a key pair generated 
by the server 3010 for the current time interval would be used 
to sign the public key from the client 3020. The signed 
public key and the public key of the key pair generated by the 
3 0 server would be transmitted back to the client 3020. The 
private key from the key pair, generated by the client 3020 
would be used to time stamp the data. Immediately after the 
time stamp was produced, the client-side private key would be 
immediately deleted, then the clienc-side public key would be 

15 

t^e/Srd S899Tt7t78 01 09T8 SSL PIS 13Nd31N I -iy33"l WHI SS:ST 66. £1 in£ 





wo 99/16Z09 



PCTAJS98/20036 



revoked by using the server-side private key to issue a 
revocation certificate for the client-side public key. The 
private key from the server 3010 would be destroyed. The 
revocation certificate would be incorporated into the time 
5 stamp certificate, together with the signature of the data, 
the server-side public keys for the current and previous time 
intervals, and the client-side public key. 

• •» 

Figure 3B illustrates an alternative embodiment for a system 
10 implementing the time stamping method according to an 

embodiment of the present invention. In Figure 3B, the time 
stamping method is carried out in a single computer system 
3100, such as a relational database system or a financial 
transaction system. Computer system 3100 includes a memory 
15 3115 connected to a cpu 3116. An I/O device 3140, such as a 
keyboard or mouse, is connected to the computer 3100 and 
provides user access to the tiihe stamping method according to 
an embodiment of the present invention. The memory 3115 would 
contain, for example, both the resident program to generate 
20 the message digests for data to be time stamped and the time 
stamping program according to an embodiment of the present 
invention. 

According to the illustrative embodiment of Figure 3B, either 
25 the user would identify data to be time stamped via the I/O 
device 3140 or the system would automatically identify data to 



be time stamped, for example as in response to a database 
transaction. Identification of the data to be time stamped 
then would cause the resident program stored in memory 3115 to 
30 execute in CPU 3116 and generate a message digest for the 

data. The message digest would be provided to the application 
program, also stored in memory 3115, which would execute in 
CPU 3116 to time stamp the data and return a time stamp 
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certificate to the resident program, which could cause the 
time stamp certificate to be forwarded to the I/O device 3140 
for the user, 

\ 

5 Therefore, according to the present invention, key pairs are 
generated for particular time intervals and time stamp 
requests are automatically carried out using the private key 
£or Che time interval, the private key being destroyed after 
the time interval. In another embodiment of the present 

10 invention, the private . key of a prior time interval is used to 
sign the public key for a subsequent time interval before the 
private key of the prior time interval is destroyed. In this 
embodiment of the present invention, every time interval has 
its own key pair for which the private key is destroyed after 

15 signing the public key for the *'next time interval. According 
to the present invention, key pairs do not have to be 
continuously generated every time interval, but can be pre- 
generated and selected from a queue for each time interval 
that a time stamp request is received. 

20 

The time stamping method according to an embodiment of the 
present invention uses public key cryptography in a new way 
to, first, create key pairs that correspond not to fixed 
entities, such as previous systems employ, but which 

25 correspond to transient time intervals; and second, to provide 

a mechanism to use the keys, and signatures created by those 
^ keys, to provide rigorous proof of the time of existence and 
the authenticity of the content within data signed by the 
system. As mentioned above, a feature of the system is that 

30 the secret key for a given time interval only exists for a 
finite, typically very short, period of time, and is replaced 
by subsequent secret keys as subsequent time intervals 
proceed. A public key cryptography system, such as PGP with 

17 

U£/2Z'd S899Tt7t78 01 09T8 SSI t^TS IBNyBlN I -1^331 WSI dd 9S:ST 66. CT inf 



wo 99/16209 ^ ' ^ PCT/US98/20036 



the above-described modifications, is employed to 
automatically generate a series of public-key encryption key 
pairs at regular time intervals. Each key contains a 
designation, for example typically within the key's user lb, 
5 which identifies the specific time interval during which it is 
to be (or was) used. For dynamically-created keys, the 
minimum possible duration of a time interval is limited by the 
time necessary for creation of a key pair and the use of that 
key pair to validate a public key. AS indicated above, 
10 shorter time intervals can be enabled by pre-generating the 
key pairs . 

As illustrated above, the veracity of the time designation is 
proven by "chaining" of signatures, so that each new time 

15 interval's public key is certified (e.g., digitally signed) 
using the prior interval's secret key, immediately prior to 
deleting that prior time intei;yal ' s secret key. This is done, 
for example, by using the prior time interval's secret key to 
digitally sign the new time interval's public key. 

20 Immediately after the public key is signed, the prior 
interval's secret key is deleted 



The public key of each key pair is stored for future u'se. Any 
given private key is used for time- stamping data only during 

25 the time interval immediately following the interval within 
which the private key was generated. During its interval of 
use, the secret key is used to digitally sign and time-stamp 
all data submitted to the system for such processing. As data 
is submitted to the system for time- stamping, these data are 

30 processed by signing them using the respective time interval's 
private key. This signing process generates a time-stamp 
certificate. Each time-stamp certificate includes, for 
example, the digital signature of che data generated by the 
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secret key and the certified public key for the current time 
internal of use. Each innerval-of-use ' s public key can be 
also archived for future reference. For use in easy 
authentication of nime-stamp certificates in the future, all 
5 time-stamp certificates can be archived as well, although such 
time-stamp certificate archiving is not necessary for later 
proof of the veracity of time-scamps generated by the system. 



At the end of each time interval, a new key pair is generated, 

10 the public key of the new pair is certified {e.g., signed) by 
the current time interval's secret key, and that secret. key is 
then deleted, and the cycle continues. Validation of a time- 
stamp at any later point requires using the respective time 
interval's public key to authenticate the digital signature in 

15 the time-stamp certificate. Validation of that public key is 
accomplished by using the previous time interval's public key 
to authenticate the certif icatd^on signature on the public key 
to be authenticated. The ability to trace back through the 
"chain" of public key certification signatures provides 

20 irrefutable proof of the location, in time, of any individual 
time interval's stamp within the chain of signatures. Further 
evidence of the exact time that a given time interval key was 
in use can be provided by tracking other certificates that 
were generated by the same key and collecting evidence^bf the- • 

25 time of generation of those signatures and the signed data 

relating to them. Since the secret key for each time interval 
is destroyed immediately after that time interval passes, it 

^ is virtually impossible to create a bogus time-stamp after the 
fact. 

30 

Many other implementations of the time stamping method 
according to an embodiment of the present invention are 
possible as well. As described above, for example, one could 
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calculate the message digests ac the users' sites, and send 
only those message digests to the server for signing. This 
would both insure confidentiality of data and efficient 
network bandwidth usage. 
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WHAT IS CLAIMED IS: 

1. A method for certifying data, comprising the steps of: 

generating a key pair at a first time interval, the 
key pair including a private key and a public key; 

receiving an certification request ; 

automatically responding to the certification 
requests by digitally signing data associated with the 
certification request using the private key; and 

deleting the private key. 

2. The method according to claim 1, further comprising the 
step of generating a time stamp' certificate confirming the 
digital signing of the data. 

3. The method according to claim 1, further comprising. the 
step of archiving the public key of the first time interval. 



4. The method according to claim 1, further comprising the 
step of authenticating the digitally signed data using the 
public key, 



5. The method according to claim 1, further comprising the 
step of determining if a further certification request is 
received during the first time interval. 



6, The method according to claim 5, further comprising the 
step of, for the further certification request, automatically 
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responding to the further certification request by digitally 
signing data associated with the further certification request 
using the private key, wherein the step of deleting the 
private key is performed after the further certification 
request has been responded to. 

1. The method according to claim 1, further comprising the 
s^teps of: 

generating a key pair at a next time interval, the 
key pair including a private key and a public key; 

receiving a next certification request; 

automatically responding to the next certification 
request by digitally signing data associated with the next 
certification request using the private key of the next time 
interval; and 

deleting the private key for che next time interval - 



8. A method for certifying data, comprising the steps of: 

generating a first key pair at a first time 
interval, the first key pair including a first public krey and . 
a first private key; 

generating a second key pair at a second time 
interval, the second key pair including a second public key 
and a second private key; 

signing the second public key using the first 
private key; 

deleting the first private key; 

processing an certification request during the 
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second time interval using the second private key: and 
deleting the second private key. 

9. The mechod according co claim 8, further comprising the 
step of archiving the first public key. 

lio. Th'e method according to claim 8, wherein the step of 
processing the certification request includes automatically 
responding to the certification request by digitally signing 
data associated with the certification request using the 
second private key. 

11. The method according to claim 10, further comprising the 
step of generating an time stamp certificate confirming the 
digital signing of the data. 

12. The method according to claim 11, wherein the time stamp 
certificate includes the digital signature and the second 
public key. 

«• 

I 

13. The method according to claim 12, wherein the time stamp 
certificate further includes the first public key. 

14. The method according to claim 8, further comprising the 
step of certifying the digitally signed data using the first 
public key. 
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15. A syscem for certifying data, comprising: 

a general purpose computer; and 

an I/O device coupled to the general purpose 
computer, wherein the general purpose computer includes a 
memory containing a program executable by the general purpose 
computer, the executable program instructing the general 
purpose computer to 

^ generate a key pair at a first time interval, 

the key pair including a private key and a public key, 

receive an certification request, 

automatically respond to the certification 
. request by digitally signing data associated with the 
certification request using the private key, and 

delete the private key. 

16. The system according to claim 14, wherein the general 
purpose computer has a client-server architecture including a 
client computer and a server computer- 

17. A system for certifying data, comprising: 

a general purpose computer; and 

an I/O device coupled to the general purpose 
computer, wherein the general purpose computer includes a 
memory containing a program executable by the general purpose 
computer, the executable program instructing the general 
purpose computer to 

generate a first key pair at a first time 
interval, the first key pair including a first public key and 
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a first private key, 

generate a second key pair at a second time 
interval, the second key pair including a second public key 
and a second private key, 

sign the second public key using the first 

private key, 

delete the first private key, 

process an certification request during the 
second time interval using the second private key, and 

delete the second private key. 



18. The system according to claim 16, wherein the general 
purpose computer has a client-server architecture including a 
client computer and a server computer. 
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